Comment # 30 on bug 1173158 from Jiri Slaby

(In reply to Martin Wilck from comment #26)
> sold. But that's just a single, once-in-a-system-lifetime MOK operation away.

The upstream kernel does not verify module signatures against MOK keys. You
need a non-upstream patch:
  patches.suse/KEYS-Make-use-of-platform-keyring-for-module-signatu.patch
for that. Leap indeed inherits it from SLE, TW doesn't have it...

So TW should keep MODULE_SIG as I don't want to lose the ability to check if
modules are genuine. If you ask me, I would not set SIG_FORCE to allow loading
of other modules (like nvidia, but there are many others, like those built by
myself). Loading such a module properly taints the kernel which is good.

For Leap, I have no opinion.